A ransomware virus that has successfully crept in more than 100 government and private enterprises in the U.S. and internationally has been detected in China, according to a recent Tencent Security report.
Dubbed Ryuk, the pernicious code targets “logistics companies, technology corporations and small municipalities” with high data value, demanding bounties upwards of $5 million paid in bitcoin, based on the Federal Bureau of Investigation (FBI).
In January, Ryuk was considered behind a hack of Tribune Publishing, affecting all of the media conglomerate’s outlets. In June, officers in Lake City, Florida paid out a $460,000 ransom after the city’s computer systems went dark. This was two weeks after Riviera Beach, Florida’s $600,000 hijacking.
Ryuk is considered a modified version of the Hermes virus, which debuted on August 2018. It spreads via the usual botnet and spam strategies and infiltrates by way of undefended IP ports.
As soon as put in, the malicious malware deletes all files related to the intrusion and kills antivirus processes, thereby obscuring the infection vector. In a single case, nevertheless, FBI agents found evidence Ryuk entered by a Remote Desktop Protocols brute force attack.
The virus additionally drops a “RyukReadMe” file that opens the blackmail letter on the sufferer’s web browser. The HTML webpage lists only the two hacker’s e-mail addresses within the higher left-hand nook, the title of the virus within the middle of the web page, and the cryptic phrase “stability of shadow universe” within the bottom right corner.
The FBI has been tracking the virus since 2018 and has seen several modifications. It’s reported the Chinese variant simultaneously runs a 32-bit and 64-bit blackmail module, which can allow new evolution of the bug.
It has not been disclosed how many Chinese enterprises have been infected as of press time, or the total amount the hackers have ransomed.